ipfw: make the upper half lock sleepable
ClosedPublic
Actions

Authored by glebius on Jan 5 2026, 7:38 PM.

Details

Reviewers

melifaro
ae
lytboris_gmail.com

Group Reviewers

network

Commits

rGe3caa360d5d0: ipfw: make the upper half lock sleepable

Summary

The so called upper half ipfw lock is not used in the forwarding path. It
is used only during configuration changes and servicing system events like
interface arrival/departure or vnet creation. The original code drops the
lock before malloc(M_WAITOK) and then goes into great efforts to recover
from possible races. But the races still exist, e.g. create_table() would
first check for table existence, but then drop the lock. The change also
fixes unlock leak in check_table_space() in a branch that apparently was
never entered.

Changing to a sleepable lock we can reduce a lot of existing complexity
associated with race recovery, and as use the lock to cover other
configuration time allocations, like recently added per-rule bpf(4) taps.

This change doesn't remove much of a race recovery code, to ease bisection
in case of a regression. This will be done in a separate commit. This
change just removes lock drops during configuration events. The only
reduction is removal of get_map(), which is a straightforward reduce to a
simple malloc(9).

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Skipped

Unit

Tests Skipped

Build Status

Buildable 69632
Build 66515: arc lint + arc unit

Event Timeline

glebius created this revision.Jan 5 2026, 7:38 PM

Herald added subscribers: vegeta_tuxpowered.net, donner, imp. · View Herald TranscriptJan 5 2026, 7:38 PM

glebius requested review of this revision.Jan 5 2026, 7:38 PM

Harbormaster completed remote builds in B69632: Diff 169093.Jan 5 2026, 7:38 PM

Fix lock leak in ipfw_commit_rules().

Harbormaster completed remote builds in B69667: Diff 169197.Jan 6 2026, 5:51 PM

The only sleepable context where the lock was acquired was dyn_tick(). The
comment said it is done to prevent parallel execution of
dyn_expire_states().  However, there is proper internal locking in there
and function should be safe to execute in parallel.  The real problem is
dyn_expire_states() called via userland to race with dyn_grow_hashtable()
called via dyn_tick().  Protect against this condition with the main chain
lock.

Harbormaster completed remote builds in B69687: Diff 169254.Jan 7 2026, 5:33 PM

glebius added a child revision: D54580: ipfw: remove locking workarounds in the table code.Jan 7 2026, 5:41 PM

ae added inline comments.Jan 12 2026, 11:11 AM